Ever heard of “fuzzing”? It’s not what you think — in software engineering, the term refers to a bug-detecting technique that involves feeding “unexpected” or out-of-bounds inputs to target programs. It’s especially good at uncovering memory corruption bugs and code assertions, which normally take keen eyes and a lot of manpower — not to mention endless rounds of code review.
Google’s solution? Pass the fuzzing work off to software. Enter ClusterFuzz, a cheekily named infrastructure running on over 25,000 cores that continuously (and autonomously) probes Chrome’s codebase for bugs. Two years ago, the Mountain View company began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz, and today, it’s open-sourcing it on GitHub.
The open source implementation of ClusterFuzz requires a few Google Cloud Platform services, Google says, but is compatible with any compute cluster.
“We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed,” wrote ClusterFuzz team members Abhishek Arya, Oliver Chang, Max Moroz, Martin Barbella, and Jonathan Metzman in a blog post. “ClusterFuzz provides end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports.”
Here’s how it works: A project maintainer creates one or more fuzz targets and integrates them with the project’s build and test system. When ClusterFuzz finds a bug, it automatically reports the issue. After it’s fixed, it verifies the fix and closes the issue.
Google says that to date, ClusterFuzz has helped to uncover more than 16,000 bugs in Chrome and more than 11,000 bugs in the over 160 open source projects integrated with OSS-Fuzz. “[ClusterFuzz] is an integral part of the development process of Chrome and many other open source projects,” the team wrote. “[It’s] often able to detect bugs hours after they are introduced and verify the fix within a day.”
ClusterFuzz is far from the only automated fuzzing solution out there. In August 2018, Google acquired GraphicsFuzz — a company specializing in mobile graphics benchmarking tools, some of which have been used to uncover vulnerabilities in phones like the Samsung Galaxy S6 and S9 — for an undisclosed amount. Microsoft two years ago launched Project Springfield, a cloud-based fuzz testing service for finding security-critical bugs in software. And there’s plenty more where those came from.